Sent: Monday, October 14, 2019 8:34 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Allen Hadden <ahadden@us.ibm.com>; Bret Jordan <Bret_Jordan@symantec.com>; cacao@lists.oasis-open.org <cacao@lists.oasis-open.org>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: [EXT] Re: [cacao] Agenda for next Tuesday's call
JP Bourget
Allen – I ‘think’ we (or at least you and I do) agree that BPMN is probably overkill for what we need.
To re-iterate my perspective, I think a subset of what BPMN does in JSON is sufficient for ‘most’ requirements. I’m not sure I agree the JSON translation that was pointed to is the best approach from my perspective. Taking something that was designed for XML and much broader uses is not necessarily the most effective way to design something.
My point was that the group should discuss the pros/cons in the upcoming meeting on approaches (not just BPMN) so that we can have consensus on an approach that works for all orgs participating.
Regards
Allan
From: Allen Hadden <ahadden@us.ibm.com>
Date: Monday, October 14, 2019 at 5:08 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: "Bret_Jordan@symantec.com" <Bret_Jordan@symantec.com>, "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Subject: RE: [cacao] Agenda for next Tuesday's call
Our product uses BPMN for playbooks today. I'd say that there's nothing that CACAO will want to do that cannot in some way be represented in BPMN. There is nothing (or at least very little) in BPMN that wouldn't be useful for CACAO. This shouldn't be surprising since BPMN is intended to express business processes and what we're talking about with playbooks are exactly that...business processes, but in the security domain.
The problem is that if you look at BPMN, a lot of what's there would just be considered "nice to have" from a CACAO perspective. Good example: swim lanes. Could you come up with a CACAO use case that could make use of swim lanes? Sure. Would they be required? Not really.
A lot of the advanced BPMN features are only useful when you start trying to express general organizational playbooks (e.g. CompanyX's Malware Process) instead of playbooks targeted at mitigating specific threats (e.g. Mitigate MalwareX).
Another problem is that full BPMN is so large that realistically the only way to develop a product with it is to integrate an existing BPMN product. Implementing your own would be a ton of work and adapting it to fit a less flexible model in an existing product would be tough. So on the one hand, it's great to be able to leverage an existing library. OTOH, is that a position we want to take as a spec?
One option worth of consideration is to take the JSON-translation that Jason K. linked and define the following:
1) a "whitelist" showing which elements are to be included (e.g. don't include "swim lanes" if we don't think they're important).
2) specific extensions to the model (BPMN supports extension elements and we'd very likely need some...for example, "service tasks" for OpenC2, Ansible, etc.)
3) object models on which the process will depend (e.g. it could be that a playbook works against a "threat", which would probably be a STIX model)
Probably there are other things we'd need besides those 3, but that should get the ball rolling if we decide to consider that path.
Allen
----- Original message -----
From: Allan Thomson <athomson@lookingglasscyber.com>
Sent by: <cacao@lists.oasis-open.org>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>
Cc: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: [EXTERNAL] Re: [cacao] Agenda for next Tuesday's call
Date: Fri, Oct 11, 2019 7:56 PM
The intention is to take relevant lessons from BPMN.
We debate whether we want to have only a subset or the entire BPMN for this given that BPMN covers a much broader perspective/goal.
When we discussed this in the past the smaller group felt that we didn’t need or want the burden of the entire BPMN. It comes with both complexity and a burden to support all of that when for cybersecurity operations a subset may be fine.
Allan
From: <cacao@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, October 11, 2019 at 3:55 PM
To: Bret Jordan <Bret_Jordan@symantec.com>
Cc: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Subject: Re: [cacao] Agenda for next Tuesday's call
Isn't this BPMN in JSON? https://github.com/bpmn-io/bpmn-moddle/blob/master/resources/bpmn-io/json/bioc.json
-
Jason Keirstead
Chief Architect - IBM Security Threat Management
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: Bret Jordan <Bret_Jordan@symantec.com>
To: "cacao@lists.oasis-open.org" <cacao@lists.oasis-open.org>
Date: 10/11/2019 05:03 PM
Subject: [EXTERNAL] [cacao] Agenda for next Tuesday's call
Sent by: <cacao@lists.oasis-open.org>
All,
On next week's working call we will be talking through the initial work that has been done on the specification document [1] and addressing next steps. Please review the document before the call and if possible, add your comments and suggestion. There are many parts that are still missing, we have just barely scratched the surface. Please feel free to make some contributions.
We have been looking at JSONLogic as an option for some of the control logic. But if someone has more familiarity with BPMN and could do a translation to JSON, that would also be a possible option for us.
Thanks
Bret and Allan
[1] - https://docs.google.com/document/d/1uQCWItomFvQ466MdGhx_0IHfJ4HOfboIRftmomVvrqY/edit#
